For starters, things will become clearer once you realize the key string is the only part of the QR code that is critical or of any importance.
Read one of your QR codes in any smartphone QR app, and it will reveal the QR code is nothing more than a few plain-text strings. The key string is one of those fields, and is the
only field that is used to generate those 6-digit numeric codes an authenticator displays when you use it. There may be a couple other fields, but they are merely for the user's convenience, such as a "name" field to help the user differentiate one TOTP token from another. You can add, remove, or edit those extra fields -- which I regularly do -- and they won't affect the calculation of those 6-digit codes, since authenticators just ignore them anyway.
There is nothing else unique about the QR code.
Right now I have them on an encrypted USB but if that's done - I'm done with that. For some I've also only saved a text string and not the QR code (note sure why) [...] How do you do it? Do you have it several locations or how?
The key string is the only thing critical to backup. If you save the QR code, you're de facto saving the key string because that's what is embedded in the QR code, so it's effectively the same thing as saving the key string in a text file. You can extract the key string from the QR code, and you can generate a new QR code from the text string, so I don't think one way is inherently any better than the other.
That said, for convenience I do both. I take screen shots of the QR codes and drop them in a small Veracrypt container, and also save copies of the text string. (Your USB stick is effectively the same thing as my Veracrypt.) QR screenshots are convenient when I need to set up the TOTP token on a different smartphone -- just pull up the picture on the computer and point the smartphone camera at the screen.
I also copy the alphanumeric key string and put it in the Notes field of my password manager (I use Bitwarden). The text version is useful for cut-and-paste setup of the token on authenticators that can't read QR codes, such as on a desktop computer.
Of course, you can save backups in any password manager of your choice, so Bitwarden isn't unique there. As an aside, though, I'll mention that the paid version of Bitwarden activates the TOTP function within the Bitwarden app or extension, so besides just holding a backup of the string you can also use Bitwarden in lieu of other authenticators to generate a 6-digit code whenever you need it.
Like your passwords, just follow the same best practices for backing up those TOTP key strings. Maintain multiple copies, on multiple media, in multiple locations, and use the same techniques you're already familiar with (good passwords, yada, yada) to secure those copies.
FWIW, my webpage, "
Understanding Two-Factor Authentication", has some other helpful tips.